Re: [RFC PATCH] xen/memory: Introduce a hypercall to provide unallocated space

From: Julien Grall <julien@xen.org>
To: Oleksandr <olekstysh@gmail.com>,
	Stefano Stabellini <sstabellini@kernel.org>
Cc: "Andrew Cooper" <andrew.cooper3@citrix.com>,
	xen-devel@lists.xenproject.org,
	"Oleksandr Tyshchenko" <oleksandr_tyshchenko@epam.com>,
	"Daniel De Graaf" <dgdegra@tycho.nsa.gov>,
	"Daniel P. Smith" <dpsmith@apertussolutions.com>,
	"Ian Jackson" <iwj@xenproject.org>, "Wei Liu" <wl@xen.org>,
	"George Dunlap" <george.dunlap@citrix.com>,
	"Jan Beulich" <jbeulich@suse.com>,
	"Volodymyr Babchuk" <Volodymyr_Babchuk@epam.com>,
	"Roger Pau Monné" <roger.pau@citrix.com>,
	"Bertrand Marquis" <bertrand.marquis@arm.com>,
	"Wei Chen" <Wei.Chen@arm.com>
Subject: Re: [RFC PATCH] xen/memory: Introduce a hypercall to provide unallocated space
Date: Mon, 9 Aug 2021 15:51:18 +0100	[thread overview]
Message-ID: <93d0df14-2c8a-c2e3-8c51-54412190171c@xen.org> (raw)
In-Reply-To: <c83378af-4d3b-9256-0e0d-f88c43c6de2f@xen.org>

Hi,

I am writing down here what we discussed on another thread and on IRC. 
This will be easier to track in a single thread.

On 04/08/2021 23:00, Julien Grall wrote:
> On 04/08/2021 21:56, Oleksandr wrote:
>> Now, I am wondering, would it be possible to update/clarify the 
>> current "reg" purpose and use it to pass a safe unallocated space for 
>> any Xen specific mappings (grant, foreign, whatever) instead of just 
>> for the grant table region. In case, it is not allowed for any reason 
>> (compatibility PoV, etc), would it be possible to extend a property by 
>> passing an extra range separately, something similar to how I 
>> described above?
> 
> I think it should be fine to re-use the same region so long the size of 
> the first bank is at least the size of the original region.

While answering to the DT binding question on the DT ML, I realized that 
this is probably not going to be fine because there is a bug in Xen when 
mapping grant-table frame.

The function gnttab_map_frame() is used to map the grant table frame. If 
there is an old mapping, it will first remove it.

The function is using the helper gnttab_map_frame() to find the 
corresponding GFN or return INVALID_GFN if not mapped.

On Arm, gnttab_map_frame() is implementing using an array index by the 
grant table frame number. The trouble is we don't update the array when 
the page is unmapped. So if the GFN is re-used before the grant-table is 
remapped, then we will end up to remove whatever was mapped there (this 
could be a foreign page...).

This behavior already happens today as the toolstack will use the first 
GFN of the region if Linux doesn't support the acquire resource 
interface. We are getting away in the Linux because the toolstack only 
map the first grant table frame and:
  - Newer Linux will not used the region provided by the DT and nothing 
will be mapped there.
  - Older Linux will use the region but still map the grant table frame 
0 to the same GFN.

I am not sure about U-boot and other OSes here.

This is not new but it is going to be become a bigger source of problem 
(read more chance to hit it) as we try to re-use the first region.

This means the first region should exclusively used for the grant-table 
(in a specific order) until the issue is properly fixed.

A potential fix is to update the array in p2m_put_l3_page(). The default 
max size of the array is 1024, so it might be fine to just walk it (it 
would be simply a comparison).

Note that this is not a problem on x86 because the is using the M2P. So 
when a mapping is removed, the mapping MFN -> GFN will also be removed.

Cheers,

-- 
Julien Grall